b'                        FARM CREDIT ADMINISTRATION\n\n                 INDEPENDENT ACCOUNTANTS\xe2\x80\x99 REPORT:\n                     FEDERAL INFORMATION SECURITY\n                      MANAGEMENT ACT EVALUATION\n\n                      For the Year Ending September 30, 2006\n\n\n\n\nHARPER, RAINS, KNIGHT & COMPANY, P.A.\n   CERTIFIED PUBLIC ACCOUNTANTS\n       RIDGELAND, MISSISSIPPI\n\x0c\x0c                              Independent Accountants\xe2\x80\x99 Report: FISMA Evaluation\n\n\nTable of Contents\nExecutive Summary ...................................................................................................................... 2\nIndependent Accountants\xe2\x80\x99 Report .............................................................................................. 3\nAppendix A, Object, Scope, Methodology, and Results ............................................................ 4\nAppendix B, OMB FISMA Reporting Template ..................................................................... 13\nAppendix C, Acronyms and Abbreviations.............................................................................. 18\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                                                                       1\n\x0c                      Independent Accountants\xe2\x80\x99 Report: FISMA Evaluation\n\n\nExecutive Summary\nThe Federal Information Security Management Act of 2002 (FISMA) requires agency program\nofficials, Chief Information Officers (CIO), and Inspector Generals (IGs) to conduct annual\nreviews of the agency\xe2\x80\x99s information security program and report the results to the Office of\nManagement and Budget (OMB). OMB issues annual reporting guidance in the form of a\nmemorandum to the respective parties. Under contract with the Farm Credit Administration\xe2\x80\x99s\n(FCA or the Agency) Officer of Inspector General we performed an evaluation of the Agency\xe2\x80\x99s\nsecurity program and practices, solely to assist the IG with the annual evaluation and reporting to\nOMB.\n\nThis report includes the objective, scope, methodology, and results of our evaluation to assist\nwith reporting requirements of the FISMA submitted to OMB.\n\nOur evaluation included determination of the critical elements which represent tasks that are\nessential for establishing compliance with FISMA, and guidelines issued by OMB, the\nGovernment Accountability Office (GAO), the Chief Information Officers (CIO) Council, and\nthe National Institute of Science and Technology (NIST) for each control category, including:\n\n    \xe2\x80\xa2   documented security policies;\n    \xe2\x80\xa2   documented security procedures;\n    \xe2\x80\xa2   implemented security procedures and controls;\n    \xe2\x80\xa2   tested and reviewed security procedures and controls; and\n    \xe2\x80\xa2   fully integrated security procedures and controls.\n\nOur evaluation was performed in accordance with Government Auditing Standards issued by the\nComptroller General of the United States.\n\nOur evaluation did not reveal any information security control matters that we deemed to be\nsignificant deficiencies that must be reported under FISMA.\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                                 2\n\x0c                             Independent Accountants\xe2\x80\x99 Report\n\nMr. Carl Clinefelter,\nInspector General\nFarm Credit Administration\n1501 Farm Credit Drive\nMcLean, Virginia 22102-5090\n\n\nHarper, Rains, Knight & Company, P.A. conducted an evaluation of the Farm Credit\nAdministration\xe2\x80\x99s security program and practices for compliance with requirements of the Federal\nInformation Security Management Act of 2002 (FISMA).\n\nWe conducted the evaluation solely to assist the Office of Inspector General with the annual\nevaluation and reporting to Office of Management and Budget (OMB) of the Farm Credit\nAdministration\'s security program and practices.\n\nOur evaluation did not reveal any information security control matters that we deemed to be\nsignificant deficiencies that must be reported under OMB FISMA requirements, see Appendix B.\n\nWe conducted our evaluation in accordance Government Auditing Standards, issued by the\nComptroller General of the United States, for performance audits. Our objective, scope,\nmethodology, and results are detailed in Appendix A.\n\nWe were not engaged to, and did not perform an audit of Farm Credit Administration\xe2\x80\x99s security\nprogram and practices, the objective of which would be the expression of an opinion on such\ninformation. Accordingly, we do not express such an opinion.\n\nThis report is intended solely for the information and use of the Farm Credit Administration\xe2\x80\x99s\nOffice of Inspector General, Office of Management Services, and Board of Directors, and is not\nintended to be, and should not be, used by anyone other then these specified parties.\n\n\n\n\nHarper, Rains, Knight & Company, P.A.\nSeptember 29, 2006\n\n\n\n\n                                                                                             3\n\x0c                     Independent Accountants\xe2\x80\x99 Report: FISMA Evaluation\n\n\n                                                                                 APPENDIX A\n\nObjective\nThe objective of the evaluation was to (1) assist the IG in responding to reporting requirements\nissued by OMB and (2) verify and test the Agency\xe2\x80\x99s information system security program and\npractices.\n\n\n\nScope\nOur evaluation covered FCA\xe2\x80\x99s agency owned and contractor operated information systems of\nrecord as of September 30, 2006. FCA is a single program agency with five mission critical\nsystems. Mission critical systems are defined as any telecommunications or information system\nused or operated by an agency or by a contractor of an agency, or organization on behalf of an\nagency that processes any information, the loss, misuse, disclosure, or unauthorized access to or\nmodification of, would have a debilitating impact on the mission of an agency.\n\nIn accordance with FISMA and OMB\xe2\x80\x99s implementation guidance, we evaluated the following\nmission critical systems.\n\n1. Major Applications\n\n   a. Oracle Federal Financials from Bureau of the Public Debt (BPD)\n\n       Oracle Federal Financials is the major application used at BPD that supports all FCA core\n       accounting functions including budget execution, accounts payable, disbursements,\n       purchasing, travel, accounts receivable, general ledger, document tracking, project cost\n       accounting, and external reporting. The Administrative Resource Center (ARC) operates\n       Oracle version 11i, with the Oracle 9i database, which runs on the ARC subnet and\n       accesses data in the ARC Demilitarized Zone (DMZ) using Linux as its operating system.\n       ORACLE uses a two-tier web-based infrastructure with a front-end Internet user interface\n       and a database residing on the secure network. The application (web-applet) accesses the\n       database IP to IP on a specified port that is defined in the Access Control List. External\n       Internet access is via a SSL 128-bit encrypted connection. External security is also\n       provided by OIT through a PIX firewall and router Access Control Lists. ARC also uses a\n       report writer package called Discover that provides users with the ability to create their\n       own ad hoc reports for query purposes.\n\n\n   b. Payroll Services from National Finance Center (NFC)\n\n       The National Finance Center (NFC) located in New Orleans, Louisiana provides the\n       Personnel/Payroll System (PPS) to FCA. NFC provides distributed application and\n       telecommunications support for the remote site located in McLean, Virginia. NFC\n       developed a "master security plan" for the general support system in New Orleans. FCA\'s\n       Office of Management Services (OMS) maintains a security plan for the remote system at\n       FCA that incorporates provisions of the master security plan.\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                              4\n\x0c                     Independent Accountants\xe2\x80\x99 Report: FISMA Evaluation\n\n   c. Consolidated Reporting System (CRS)\n\n       CRS is a major application that supports FCA operations. CRS is an Oracle relational\n       database containing financial and statistical information on active and inactive Farm\n       Credit Institutions. CRS contains three distinct subsystems that are Call Report, Loan\n       Account Reporting System (LARS), and Web-based CRS Reports:\n\n       \xe2\x80\xa2      Call Report is comprised of financial information including a statement of\n       condition, statement of income, and supporting schedules that is collected quarterly from\n       the System Institutions. Call Report subsystem is monitored, analyzed, and assessed by\n       FCA examiners and financial analysts to ensure that the integrity and confidentiality of\n       financial data are maintained.\n\n       \xe2\x80\xa2      LARS database contains specific loans of System Lender Institutions. Institutions\n       submit the data quarterly to FCA via diskette or zip file. The loan data are loaded using\n       SQLLoader, and are then verified and validated by FCA personnel.\n\n       \xe2\x80\xa2       Web-based CRS Reports is an FCA developed application using the JavaScript\n       front-end interface and an Oracle database back-end application. The reports are built\n       using e-Reporting Suite, and are available on FCA\'s Web site. The Freedom of\n       Information Act (FOIA) versions of the reports are available to the public. The non-FOIA\n       versions of the reports are available to users who are authorized to view their institution\n       data.\n\n   d. Lotus Domino (Notes)\n\n       Lotus Domino (Notes) application is a database system software owned and maintained\n       by FCA. The application supports the daily administrative tasks including e-mail, group\n       discussion, calendaring and scheduling, database management, forms, and workflow of\n       FCA.\n\n2. Mission Critical General Support Systems\n\n   a. Windows Operating System\n\n       Windows is an operating system or the core program of a computer that allows the other\n       programs and applications to operate. Windows is fully integrated with networking\n       capabilities and was designed for client/server computing to facilitate user workstation\n       connections to servers and the sharing of information and services among computers.\n\n\n       Windows 2003 Server is the primary operating system installed on servers in the FCA\n       network. Additionally, Windows 2000 and XP are installed on agency laptop and desktop\n       computers where they function as a client to the FCA network as well as a stand-alone\n       operating system for the client hardware. Through Windows 2000/XP, users can access\n       network services such as file servers, e-mail, the Internet, applications and shared\n       hardware such as printers.\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                                 5\n\x0c                     Independent Accountants\xe2\x80\x99 Report: FISMA Evaluation\n\n\nMethodology\n\nThe system evaluations were performed in accordance with the NIST assessment guide. The\nOffice of Inspector General, assisted by Harper, Rains, Knight & Company, P.A., the\nindependent evaluator, determined the critical elements that represent essential tasks for\nestablishing compliance with FISMA, and the guidelines issued by OMB, GAO, CIO Council,\nand NIST for each control category, including:\n\n    \xe2\x80\xa2      documented security policies;\n    \xe2\x80\xa2      documented security procedures;\n    \xe2\x80\xa2      implemented security procedures and controls;\n    \xe2\x80\xa2      tested and reviewed security procedures and controls; and\n    \xe2\x80\xa2      fully integrated security procedures and controls.\n\nFor each control category, the evaluator determined the associated objectives, risks, and critical\nactivities, as well as related control techniques and evaluation concerns specific to FCA\'s\ninformation technology environment.\n\n\nThe evaluation was conducted in accordance with the requirements and criteria found in GAO\'s\nFISCAM, OMB Circular A-130, Appendix III, "Security of Federal Automated Information\nResources," current NIST guidance, and the CIO Council Framework. We used this information\nto evaluate FCA\'s practices and addressed the above five control areas to be considered in\ndetermining compliance with FISMA. For each critical element, the evaluator made a summary\ndetermination as to the effectiveness of FCA\'s related controls. If the controls for one or more of\neach category\'s critical elements were found ineffective, then the controls for the entire category\nare not likely to be effective. The evaluator exercised its professional judgment in making such\ndeterminations.\n\nThe evaluation focused on the actual performance of the Agency\'s security program and\npractices and not on how the Agency measures its performance in its own annual evaluations.\nThe Agency\'s security controls were evaluated for programs and practices including testing the\neffectiveness of security controls for Agency systems or a subset of systems as required. The\nevaluator performed FISMA evaluations in accordance with Federal guidance, e.g., NIST\nSelf-Assessment Guide for Information Technology Systems.\n\n\nThe evaluation procedures were divided into three \xe2\x80\x9cclasses\xe2\x80\x9d and further divided into seventeen\n\xe2\x80\x9cfamilies\xe2\x80\x9d as identified in NIST Special Publication 800-53:\n   \xe2\x80\xa2    Management\n           o Risk assessment \xe2\x80\x93 Controls in place to categorize information systems in\n             accordance with FIPS 199, to assess the potential impact of unauthorized access,\n             and to update the risk assessment regularly.\n           o Planning \xe2\x80\x93 Controls in place to ensure a security plan is in place and to ensure the\n             plan is readily available, updated regularly, and tested.\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                                6\n\x0c                     Independent Accountants\xe2\x80\x99 Report: FISMA Evaluation\n\n          o System and services acquisition \xe2\x80\x93 Controls in place to allocate resources during\n            capital budgeting, using a system development life cycle, and to implement the\n            information system using security engineering principles.\n          o Certification, accreditation, and security awareness \xe2\x80\x93 Controls in place to certify\n            and accredit information systems and interconnected systems and to develop and\n            update the plan of action and milestones (POA&M).\n\n\n   \xe2\x80\xa2   Operational\n          o Personnel security \xe2\x80\x93 Controls in place for employee screening, handling of\n            terminated employees, and compliance failure sanctions.\n          o Physical and environmental control \xe2\x80\x93 Controls in place for physical access to the\n            building and areas sensitive to information systems, visitor access, and\n            preventative measures for physical damage to information systems components.\n          o Contingency planning \xe2\x80\x93 Controls in place for training, testing, and reviews of all\n            contingency plans as well as providing alternative storage and processing sites.\n          o Configuration management \xe2\x80\x93 Controls in place to document configuration\n            information, to monitor changes, and to restrict access to information systems.\n          o Maintenance \xe2\x80\x93 Controls in place to control remote diagnostic activities, restrict\n            personnel allowed to perform maintenance, keep maintenance contracts, and have\n            spare parts on hand.\n          o System and information integrity \xe2\x80\x93 Controls in place to correct system flaws,\n            monitor systems events, and protect against unauthorized changes.\n          o Media protection \xe2\x80\x93 Controls in place to ensure only authorized personnel have\n            access to sensitive media, appropriately mark and store media, and sanitize media\n            when it is no longer needed.\n          o Incident response \xe2\x80\x93 Controls and procedures in place to train personnel in their\n            roles, test the response capability, and properly document incidents.\n          o Awareness and training \xe2\x80\x93 Controls in place to implement security awareness and\n            training for all employees including managers and to monitor training and stay up\n            to date with current technology and security practices.\n\n\n   \xe2\x80\xa2   Technical\n          o Identification and authentication \xe2\x80\x93 Controls in place to identify and authenticate\n            users of information systems, to authenticate devices on information system\n            networks, and to mange users of information systems.\n          o Access control \xe2\x80\x93 Controls that limit and/or monitor access to computer resources\n            (data, programs, equipment, and facilities) to protect against unauthorized\n            modification, loss, and disclosure.\n          o Audit and accountability \xe2\x80\x93 Controls in place to generate, review, and protect audit\n            data and reports.\n          o Systems and communication protection \xe2\x80\x93 Controls in place to separate user\n            functionality from management, to protect against internet attacks, and to\n            establish trusted communication paths between the user and the system.\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                            7\n\x0c                     Independent Accountants\xe2\x80\x99 Report: FISMA Evaluation\n\n\n\n\nResults\nOur procedures did not reveal any information system security control matters that we deemed to\nbe significant deficiencies that must reported under FISMA.\n\nRisk assessment\n\nFCA has controls in place to categorize information systems in accordance with FIPS 199, to\nassess the potential impact of unauthorized access, and to update the risk assessment, at least\nannually. We found FCA has policies and procedures in place and that they are periodically\nreviewed. We found FCA categorizes information systems in accordance with FIPS 199. We\nfound FCA conducts annual risk assessments over their information systems. We found FCA has\na Continuity of Operations Plan (COOP) in place and that it is reviewed annually. We found\nFCA has a system in place to track general security notifications and assess potential impact.\n\nPlanning\n\nFCA has controls in place to ensure a security plan is in place and to ensure the plan is readily\navailable, updated regularly, and tested. We found FCA has policies and procedures in place and\nthat they are periodically reviewed. We found FCA has incorporated its security plans into the\nCOOP plan. We found the security plans are reviewed annually and revised when appropriate.\nWe found FCA provides training to employees on the expectations of using their information\nsystems. We founds FCA tests the impact of changes prior to implementing changes on their\ninformation systems.\n\nSystem and services acquisition\n\nFCA has controls in place to allocate resources during capital budgeting, using a system\ndevelopment life cycle, and to implement the information system using security engineering\nprinciples, where applicable. We found FCA has policies and procedures in place and that they\nare periodically reviewed. We found the Information Resources Management (IRM) plan\noutlines and budgets for future information technology needs. We found FCA applies a system\ndevelopment life cycle to their information systems. We found security is considered during\nFCA\xe2\x80\x99s information system planning and acquisition process. We found FCA tracks licenses and\ninstallations to comply with software usage restrictions. We found FCA does not allow software\nto be downloaded and installed unless it is supplied by FCA or approved on an individual basis.\nWe found that FCA designs and implements information systems using security engineering\nprinciples.\n\nCertification, accreditation, and security awareness\n\nFCA has controls in place to certify and accredit information systems and interconnected\nsystems and to develop and update the plan of action and milestones (POA&M). We found FCA\nhas policies and procedures in place and that they are periodically reviewed. We found FCA\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                                 8\n\x0c                     Independent Accountants\xe2\x80\x99 Report: FISMA Evaluation\n\nconducts assessments of security controls in information systems annually to determine the\nextent to which controls are implemented correctly, operating as intended, and producing the\ndesired outcome. We found FCA authorizes all interconnections to other information systems\noutside the accreditation boundary and monitors/controls the information system interconnects\non an ongoing basis. We found FCA develops and updates POA&Ms and reports POA&Ms on a\nquarterly basis. We found FCA has a policy to perform C&A on its information systems every\nthree years or when significant information systems changes occur.\n\nPersonnel Security\n\nFCA has controls in place for employee screening, handling of terminated employees, and\ncompliance failure sanctions. We found FCA has policies and procedures in place and that they\nare periodically reviewed. We found each FCA Position Description (PD) has a \xe2\x80\x9cPosition\nSensitivity\xe2\x80\x9d indicator. We found FCA employees are not granted access to information systems\nwithout a sponsor\xe2\x80\x99s approval. We found when an employee is terminated, quits, or retires FCA\nrequires the individual to complete a separation checklist. We found FCA requires new hires and\ncontractors to sign FCA\xe2\x80\x99s Computer Security Program Employee Certification, which declares\nthey have read FCA\xe2\x80\x99s Computer Security Program, Policies, and Procedures Manual.\n\nPhysical and environmental protection\n\nFCA has controls in place for physical access to the building and areas sensitive to information\nsystems, visitor access, and preventive measures for physical damage to information systems\ncomponents. We found FCA has policies and procedures in place and that they are periodically\nreviewed. We found FCA issues identification badges to all personnel, including contractors. We\nfound FCA controls all entry point via either guarded entry or Kastle Key access. We found a\nvisitor access log is maintained at the front desk. We found FCA\xe2\x80\x99s information system\ndistribution and transmission lines are run through the secured computer room. We found all\nvisitors must be escorted in to the computer room by an FCA employee. We found FCA\nmaintains an uninterruptible power supply for the secured computer room. We found FCA\nimplements redundant HVAC units in the controlled computer room to control the temperature.\nWe found FCA keeps track of computers through the Property Management Tracking System\n(PMTS).\n\nContingency planning\n\nFCA has controls in place for training, testing, and reviews all contingency plans as well as\nproviding alternative storage and processing sites. We found FCA has policies and procedures in\nplace and that they are periodically reviewed. We found responsible FCA personnel have been\ntrained as to their responsibilities in the event of an emergency and the COOP has been regularly\ntested via the COGCON exercises. We found the COOP is reviewed annually and updated as\nrequired. We found FCA has an emergency operations center that serves as its alternate\nprocessing site and the resumption of information system operations for mission critical\nfunctions when the primary processing capabilities are unavailable. We found FCA runs backups\nof user and systems information daily (incremental) and weekly (full).\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                               9\n\x0c                     Independent Accountants\xe2\x80\x99 Report: FISMA Evaluation\n\n\nConfiguration management\n\nFCA has controls in place to document configuration information, to monitor changes, and to\nrestrict access to information systems. We found FCA has policies and procedures in place and\nthat they are periodically reviewed. We found information system changes are tested and\nmonitored after being put in production. We found FCA has established configuration setting for\ninformation technology, has set default access as none, and enforces configuration settings in all\ncomponents of the information system.\n\nMaintenance\n\nFCA has controls in place to control remote diagnostic activities, restrict personnel allowed to\nperform maintenance, keep maintenance contracts, and have spare parts on hand. We found FCA\nhas policies and procedures in place and that they are periodically reviewed. We found FCA does\nnot have vendors perform preventative maintenance on servers. We found FCA runs HP/Compaq\nInsight System Manager, which monitors the health of servers and reports on problems via email.\nWe found FCA controls and monitors maintenance on FCA laptops. We found FCA has a\ncontract with a four hour response time to repair the servers.\n\nSystem and information integrity\n\nFCA has controls in place to correct system flaws, monitor system events, and protect against\nunauthorized changes. We found FCA has policies and procedures in place and that they are\nperiodically reviewed. We found FCA has virus protection software installed and it updates\nautomatically. We found FCA continuously monitors the information systems to detect attacks\nand prevent unauthorized use. We found FCA participates in the US-CERT program. We found\nFCA restricts which personnel can make changes to the information systems. We found FCA\napplications have edit checks built in to ensure data integrity.\n\nMedia protection\n\nFCA has controls in place to ensure only authorized personnel have access to sensitive media,\nmark and store media, and sanitize media when it is no longer needed. We found FCA has\npolicies and procedures in place and that they are periodically reviewed. We found FCA restricts\nuser access to drives and applications. We found FCA labels do not indicate what is stored on the\nmedia and that back up tapes are stored in a safe. We found FCA controls the system media and\nrestricts the pickup, receipt, transfer, and delivery of such media to authorized personnel.\n\nIncident response\n\nFCA has controls and procedures in place to train personnel in their roles, test the response\ncapability, and properly document incidents. We found FCA has policies and procedures in place\nand that they are periodically reviewed. We found FCA trains their employees to respond to\nincidents. We found FCA continually monitors for intrusions and documents and investigates\nunusual activity.\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                               10\n\x0c                     Independent Accountants\xe2\x80\x99 Report: FISMA Evaluation\n\n\nAwareness and training\n\nFCA has controls in place to implement security awareness and training for all employees\nincluding managers and to monitor training and stay up to date with current technology and\nsecurity practices. We found FCA has policies and procedures in place and they are periodically\nreviewed. We found FCA requires all employees to complete an annual Information Technology\nSecurity Awareness training. We found FCA documents annual security training activities\nthrough FCA News Flash emails.\n\nIdentification and authentication\n\nFCA has controls in place to identify and authenticate users of information systems, to\nauthenticate devices on information system networks, and to manage users of information\nsystems. We found FCA has policies and procedures in place and that they are periodically\nreviewed. We found FCA users must be authenticated before accessing any resource not publicly\navailable on the internet. We found the encryption used on the website to access FCA\ninformation, SSL, meets federal standards.\n\nAccess control\n\nFCA has controls that limit and monitor access to computer resources to protect against\nunauthorized modification, loss, and disclosure. We found FCA has policies and procedures in\nplace and that they are periodically reviewed. We found FCA deactivates accounts after a\ndefined period of inactivity and passwords must be changed periodically. We found FCA uses\nleast privileged access. We found FCA enforces segregation of duties through assigned\nauthorization. We found FCA locks computers after three consecutive unsuccessful login\nattempts. We found that FCA does not permit employees to use personally owned equipment to\naccess the FCA network.\n\nAudit and accountability\n\nFCA has controls in place to generate, review, and protect audit data and reports. We found FCA\nhas policies and procedures in place and that they are periodically reviewed. We found FCA\ninformation systems keep logs which provide an audit trail. We found FCA is notified via email\nof suspicious events in addition to the event being recorded in the log. We found FCA has the\nability to produce audit trail reports from the firewall and intrusion detection system. We found\nFCA\xe2\x80\x99s event/audit logs include time stamps. We found FCA audit log information is restricted to\nthe information technology personnel.\n\nSystem and communications protection\n\nFCA has controls in place to separate user functionality from management, to protect against\ninternet attacks, and to establish trusted communication paths between the user and the system.\nWe found FCA has policies and procedures in place and that they are periodically reviewed. We\nfound FCA enforces access controls in order to limit personnel who use the system from\npersonnel who manage the system. We found FCA has controls in place to limit the effects of\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                             11\n\x0c                     Independent Accountants\xe2\x80\x99 Report: FISMA Evaluation\n\ncommon attacks, including denial of service attacks. We found FCA has controls in place to\nensure high priority processes, such as virus scans, have access to needed resources. We found\nFCA information is transmitted by secure means such as SSL. We found FCA terminates remote\nconnections after 30 minutes of inactivity. We found FCA separates FOIA information from\nprivate information on the website.\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                           12\n\x0c                                                   Independent Accountants\xe2\x80\x99 Report: FISMA Evaluation\n\n\n                                                                                                                                                                                                          APPENDIX B\n\nOMB FISMA Reporting Template\n\n\n                                                                                        Section C: Inspector General. Questions 1, 2, 3, 4, and 5.\n\n                                                                                                               Agency Name:\n\n\n\n\n                                                                                                              Question 1 and 2\n\n\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems, including information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an\nagency. By FIPS 199 risk impact level (high, moderate, low, or not categorized) and by bureau, identify the number of systems reviewed in this evaluation for each classification below (a., b., and c.).\n\n\n\n            To meet the requirement for conducting a NIST Special Publication 800-26 review, agencies can:\n            1) Continue to use NIST Special Publication 800-26, or,\n            2) Conduct a self-assessment against the controls found in NIST Special Publication 800-53\n\n\n            Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency, therefore, self reporting by contractors does not meet the\n            requirements of law. Self reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n\n\n\n\n2. For each part of this question, identify actual performance over the past fiscal year by risk impact level and bureau, in the format provided below. From the representative subset of systems evaluated, identify the\nnumber of systems which have completed the following: have a current certification and accreditation , a contingency plan tested within the past year, and security controls tested within the past year.\n\n\n\n\n                                                                                                  Question 1                                                                                Question 2\n                                                                        a.                           b.                             c.                              a.                         b.                         c.\n                                                                  Agency Systems             Contractor Systems           Total Number of Systems         Number of systems         Number of systems for Number of systems for which\n                                                                                                                                                        certified and accredited    which security controls contingency plans have been\n                                                                                                                                                                                     have been tested and     tested in accordance with\n                                                                                                                                                                                   evaluated in the last year    policy and guidance\n\n\n\n\n                                    FIPS 199 Risk Impact         Total        Number          Total        Number                        Number          Total       Percent of      Total        Percent of\nBureau Name                                 Level               Number       Reviewed        Number       Reviewed       Total Number   Reviewed        Number         Total        Number          Total       Total Number Percent of Total\nFarm Credit Administration            High                               2               2                                          2               2            1        50.0%              2        100.0%                 2         100.0%\n                                      Moderate                           1               1            2              2              3               3            2        66.7%              3        100.0%                 3         100.0%\n                                      Low                                                                                           0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             3               3            2              2              5               5            3        60.0%              5        100.0%                 5         100.0%\nBureau                                High                                                                                          0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nAgency Totals                          High                              2               2            0              0              2               2            1         50.0%             2         100.0%                2           100.0%\n                                      Moderate                           1               1            2              2              3               3            2        66.7%              3        100.0%                 3         100.0%\n                                      Low                                0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\n                                      Not Categorized                    0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\n                                   Total                                 3               3            2              2              5               5            3         60.0%             5         100.0%                5           100.0%\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                                                                                                                                                                         13\n\x0c                                                   Independent Accountants\xe2\x80\x99 Report: FISMA Evaluation\n\n\n                                                                                                                Question 3\n\nIn the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n\n\n                                   The agency performs oversight and evaluation to ensure information systems used or operated by a contractor of the\n                                   agency or other organization on behalf of the agency meet the requirements of FISMA, OMB policy and NIST guidelines,\n                                   national security policy, and agency policy. Self-reporting of NIST Special Publication 800-26 and/or NIST 800-53\n                                   requirements by a contractor or other organization is not sufficient, however, self-reporting by another Federal agency may\n                                   be sufficient.\n\n               3.a.                Response Categories:                                                                                                           - Almost Always, for example, approximately 96-100% of the time\n                                        - Rarely, for example, approximately 0-50% of the time\n                                        - Sometimes, for example, approximately 51-70% of the time\n                                        - Frequently, for example, approximately 71-80% of the time\n                                        - Mostly, for example, approximately 81-95% of the time\n                                        - Almost Always, for example, approximately 96-100% of the time\n\n\n\n\n                                   The agency has developed an inventory of major information systems (including major national security systems) operated\n                                   by or under the control of such agency, including an identification of the interfaces between each such system and all other\n                                   systems or networks, including those not operated by or under the control of the agency.\n\n                                   Response Categories:\n              3.b.1.                    - Approximately 0-50% complete                                                                                                 - Approximately 96-100% complete\n                                        - Approximately 51-70% complete\n                                        - Approximately 71-80% complete\n                                        - Approximately 81-95% complete\n                                        - Approximately 96-100% complete\n\n\n\n                                                                                                                                                                  Missing Agency Systems: N/A\n\n\n\n\n              3.b.2.               If the Agency IG does not evaluate the Agency\'s inventory as 96-100% complete, please list the systems that are missing\n                                   from the inventory.\n\n\n\n\n                                                                                                                                                                  Missing Contractor Systems: N/A\n\n\n\n\n               3.c.                The OIG generally agrees with the CIO on the number of agency owned systems.                                                                                     Yes\n\n\n\n                                   The OIG generally agrees with the CIO on the number of information systems\n               3.d.                used or operated by a contractor of the agency or other organization on behalf of    the agency.                                                                 Yes\n\n\n\n\n               3.e.                The agency inventory is maintained and updated at least annually.                                                                                                Yes\n\n\n\n\n               3.f.                The agency has completed system e-authentication risk assessments.                                                                                               Yes\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                                                                                                                                                                   14\n\x0c                                                     Independent Accountants\xe2\x80\x99 Report: FISMA Evaluation\n\n\n                                                                                                                     Question 4\n\n\n\n\nThrough this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing an agency wide plan of action and milestone (POA&M) process. Evaluate the degree to which the\nfollowing statements reflect the status in your agency by choosing from the responses provided in the drop down menu. If appropriate or necessary, include comments in the area provided below.\n\nFor items 4a.-4.f, the response categories are as follows:\n\n      -   Rarely, for example, approximately 0-50% of the time\n      -   Sometimes, for example, approximately 51-70% of the time\n      -   Frequently, for example, approximately 71-80% of the time\n      -   Mostly, for example, approximately 81-95% of the time\n      -   Almost Always, for example, approximately 96-100% of the time\n\n\n\n\n                                     The POA&M is an agency wide process, incorporating all known IT security weaknesses associated with information\n                 4.a.                                                                                                                                            - Almost Always, for example, approximately 96-100% of the time\n                                     systems used or operated by the agency or by a contractor of the agency or other organization on behalf of the agency.\n\n\n\n\n                                    When an IT security weakness is identified, program officials (including CIOs, if they own or operate a system) develop,\n                 4.b.                                                                                                                                            - Almost Always, for example, approximately 96-100% of the time\n                                    implement, and manage POA&Ms for their system(s).\n\n\n\n                                     Program officials, including contractors, report to the CIO on a regular basis (at least quarterly) on their remediation\n                 4.c.                                                                                                                                            - Almost Always, for example, approximately 96-100% of the time\n                                     progress.\n\n\n\n                 4.d.               CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.                                 - Almost Always, for example, approximately 96-100% of the time\n\n\n                 4.e.                OIG findings are incorporated into the POA&M process.                                                                       - Almost Always, for example, approximately 96-100% of the time\n\n\n                                     POA&M process prioritizes IT security weaknesses to help ensure significant IT security weaknesses are addressed in a\n                 4.f.                                                                                                                                            - Almost Always, for example, approximately 96-100% of the time\n                                     timely manner and receive appropriate resources\n\nComments:\n\n\n\n\n                                                                                                                     Question 5\n\n\n\nOIG Assessment of the Certification and Accreditation Process. OMB is requesting IGs to provide a qualitative assessment of the agency\xe2\x80\x99s certification and accreditation process, including adherence to existing policy, guidance, and\nstandards. Agencies shall follow NIST Special Publication 800-37, \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal Information Systems\xe2\x80\x9d (May, 2004) for certification and accreditation work initiated after May, 2004. This\nincludes use of the FIPS 199 (February, 2004), \xe2\x80\x9cStandards for Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d to determine an impact level, as well as associated NIST documents used as guidance for completing\nrisk assessments and security plans .\n\n\n\n\n                                     Assess the overall quality of the Department\'s certification and accreditation process.\n\n                                     Response Categories:\n                                          - Excellent\n                                          - Good                                                                                                                 - Good\n                                          - Satisfactory\n                                          - Poor\n                                          - Failing\n\n\n\nComments: In FY 2006, FCA planned an independent contract review to provide an independent certification and accreditation (C&A) on their remaining two agency systems. Due to a transfer of procurement services to\nthe Bureau of Public Debt, the contract was not finalized in time to complete the C&A\'s in FY 2006. The C&A\'s will be performed in the first quarter of FY 2007.\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                                                                                                                                                                       15\n\x0c                                          Independent Accountants\xe2\x80\x99 Report: FISMA Evaluation\n\n\n\n                                                                 Section B: Inspector General. Question 6, 7, 8, and 9.\n\n                                                                                         Agency Name:\n\n\n                                                                                          Question 6\n\n                      Is there an agency wide security configuration policy?\n     6.a.                                                                                                                                             Yes\n                      Yes or No.\n\n                      Comments:\n\n\n\n                      Configuration guides are available for the products listed below. Identify which software is addressed in the agency wide security configuration policy.\n     6.b.             Indicate whether or not any agency systems run the software. In addition, approximate the extent of implementation of the security configuration policy on\n                      the systems running the software.\n\n\n\n\n                                                                                                                          Approximate the extent of implementation of the security\n                                                                                                                          configuration policy on the systems running the software.\n\n                                                                                                              Response choices include:\n                                                                                                              - Rarely, or, on approximately 0-50% of the\n                                                                                                                systems running this software\n        Product                                                                                               - Sometimes, or on approximately 51-70% of\n                                                                                                                the systems running this software\n                                                                                                              - Frequently, or on approximately 71-80% of\n                                                                Addressed in agencywide\n                                                                                                                the systems running this software\n                                                                        policy?         Do any agency systems - Mostly, or on approximately 81-95% of the\n                                                                                          run this software?    systems running this software\n                                                                                                              - Almost Always, or on approximately 96-100% of the\n                                                                       Yes, No,                               systems running this software\n                                                                               or N/A.                  Yes or No.\n                                                                                                                                - Almost Always, or on approximately 96-100% of the\n            Windows XP Professional\n                                                                                Yes                        Yes            systems running this software\n                                                                                                                                - Almost Always, or on approximately 96-100% of the\n            Windows NT\n                                                                                Yes                        Yes            systems running this software\n                                                                                                                                - Almost Always, or on approximately 96-100% of the\n            Windows 2000 Professional\n                                                                                Yes                        Yes            systems running this software\n            Windows 2000 Server\n                                                                                N/A                        No\n                                                                                                                                - Almost Always, or on approximately 96-100% of the\n            Windows 2003 Server\n                                                                                Yes                        Yes            systems running this software\n            Solaris\n                                                                                N/A                        No\n            HP-UX\n                                                                                N/A                        No\n            Linux\n                                                                                N/A                        No\n                                                                                                                                - Almost Always, or on approximately 96-100% of the\n            Cisco Router IOS\n                                                                                Yes                        Yes            systems running this software\n                                                                                                                                - Almost Always, or on approximately 96-100% of the\n            Oracle\n                                                                                Yes                        Yes            systems running this software\n            Other. Specify:\n                                                                                N/A                        No\nComments:\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                                                                                                                 16\n\x0c                                      Independent Accountants\xe2\x80\x99 Report: FISMA Evaluation\n\n\n\n                                                                                 Question 7\n\n\nIndicate whether or not the following policies and procedures are in place at your agency. If appropriate or necessary, include comments in the area provided below.\n\n                    The agency follows documented policies and procedures for identifying and reporting\n       7.a.         incidents internally.                                                                                                       Yes\n                    Yes or No.\n                    The agency follows documented policies and procedures for external reporting to law\n       7.b.         enforcement authorities.                                                                                                    Yes\n                    Yes or No.\n                    The agency follows defined procedures for reporting to the United States Computer\n       7.c.         Emergency Readiness Team (US-CERT). http://www.us-cert.gov                                                                  Yes\n                    Yes or No.\nComments:\n\n\n\n                                                                                 Question 8\n\n                    Has the agency ensured security training and awareness of all employees, including\n                    contractors and those employees with significant IT security responsibilities?\n\n                    Response Choices include:\n                    - Rarely, or, approximately 0-50% of employees have sufficient training\n                                                                                                                     - Almost Always, or approximately 96-100% of employees have\n         8           - Sometimes, or approximately 51-70% of employees have sufficient training                     sufficient training\n                     - Frequently, or approximately 71-80% of employees have sufficient training\n                     - Mostly, or approximately 81-95% of employees have sufficient training\n                     - Almost Always, or approximately 96-100% of employees have sufficient training\n\n\n\n\n                                                                                 Question 9\n\n\n\n                    Does the agency explain policies regarding peer-to-peer file sharing in IT security\n         9          awareness training, ethics training, or any other agency wide training?                                                     Yes\n                    Yes or No.\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                                                                                                          17\n\x0c                   Independent Accountants\xe2\x80\x99 Report: FISMA Evaluation\n\n\n                                                                       APPENDIX C\n\nAcronyms and Abbreviations\nARC          Administrative Resource Center\nBPD          Bureau of Public Debt, Oracle Federal Financials\nC&A          Certification and Accreditation\nCIO          Chief Information Officer\nCOGCON       Continuity of Government Condition\nCOOP         Continuity of Operations Plan\nCRS          Consolidated Reporting System\nDMZ          Demilitarized Zone\nFCA/Agency   Farm Credit Administration\nFIPS         Federal Information Processing Standards\nFISCAM       Federal Information System Controls Audit Manual\nFISMA        Federal Information Security Management Act of 2002\nFOIA         Freedom of Information Act\nFY           Fiscal Year\nGAO          Government Accountability Office\nHP           Hewlett Packard\nHVAC         Heating Ventilating and Air Conditioning\nIP           Internet Protocol\nIRM          Information Resource Management\nIT           Information Technology\nLARS         Loan Account Reporting System\nNFC          National Finance Center\nNIST         National Institute of Science and Technology\nOCFO         Office of the Chief Financial Officer\nOIG/IG       Office of the Inspector General\nOIT          Office of Information Technology\nOMB          Office of Management and Budget\nOMS          Office of Management Services\nPD           Position Description\nPMTS         Property Management Tracking System\nPOA&M        Plan of Action and Milestone\nPPS          Personnel/Payroll System\nSSL          Secure Socket Layer\nSystem       Farm Credit System\nUS-CERT      United States Computer Emergency Readiness Team\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                              18\n\x0c'